Administrative fine imposed on higher education institution for data protection violations connected to processing of location data recorded as part of working hours monitoring
The Office of the Data Protection Ombudsman's sanctions board imposed an administrative fine on a university of applied sciences for processing employee location data in violation of data protection legislation. The controller processed location data of its employees unnecessarily and without legal grounds using a mobile application intended for recording working hours. The Deputy Data Protection Ombudsman also ordered the controller to end the processing of location data.
The controller had introduced a mobile application that allowed employees doing remote work to record their working hours. Using the application in a mobile device also required allowing the use of the employee's location data. Collecting location data at the time of recording the working hours is an application property without which the app does not allow the recording of working hours.
According to the controller, the processing of data is based on the consent given by the employees. The use of the application has been voluntary.
There were no legal grounds for processing location data on employees
According to the report given by the controller, the controller has not actively used or made use of the location data in any circumstances, but the data collected at the time of recording has been processed only for system technical reasons. However, the mere fact that the app does not allow recording of working hours without the processing of location data does not make the processing of the data necessary. Therefore, the Deputy Data Protection Ombudsman considers that the controller has processed the personal information related to the location of employees in violation of the requirement of necessity under the Data Protection Act.
Furthermore, there have been no legal grounds under the General Data Protection Regulation for the processing of location data. The Deputy Data Protection Ombudsman notes that consent does not supersede the requirement of necessity under data protection legislation in working life, and, therefore, consent given by the data subjects cannot serve as legal grounds for collecting unnecessary personal information. By collecting unnecessary location data on employees, the controller has also acted in violation of the GDPR principle of data minimisation.
In addition, the Deputy Data Protection Ombudsman notes that no services or systems that do not enable compliance with data protection regulations or do not meet the controller's needs should be taken to use.
Administrative fine and processing ban imposed on the controller
The Office of the Data Protection Ombudsman's sanctions board imposed an administrative fine of EUR 25,000 for violations of data protection legislation on the controller. In addition, the Deputy Data Protection Ombudsman imposed a processing ban on the controller, covering all processing related to location data being or having been collected with the application.
As a mitigating factor significantly reducing the amount of the administrative fine it was taken into account that the main purpose of the operations of universities of applied sciences is not to seek profit but to provide higher education as prescribed by law.
The decisions are not yet final, and they can be appealed against to the Administrative Court.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, puh. 029 566 6766
From 2.8. Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, puh. 029 56 66787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.